As a journalist at Computerworld Australia:
Symantec on Wednesday announced its Control Compliance Suite 8.2 that aims to simplify IT policy compliance for businesses through automated audits, reporting and database software.
At a Symantec media conference in Sydney, Clayton-Utz partner and ex-government lawyer Barry Dunphy outlined the governance issues associated with policy compliance and record keeping.
While both government and non-government organizations are increasingly obliged to comply with laws requiring the maintenance of proper records, there remain inconsistencies in evidence laws across Australia, he said.
Further legislation is currently in the works for Australia and the rest of the world. In the meantime, courts and lawyers are said generally to lack forensic experience with computer technology.
Electronic records of today are far more complex than the record management systems of 15 years ago, Dunphy said. In today's electronic age, where anything that stores information - be it a sound recording, video, picture or document - is a legal record, companies must look beyond the governing legislation into the policies of compliance regulation.
"People in my industry are far too casual about sending e-mails," he said. "They don't realize - and this is a key issue - that every e-mail is a public document and needs to be kept."
Electronic methods of storing and searching for documents, like Symantec's Enterprise Vault and IMLogic, provided in the software suite, are expected to assist organizations in complying with retention and discovery policies and fulfilling their freedom of information (FOI) obligations.
"E-mail and instant messaging [IM] are now legitimate forms of business communication," said Tim Hartman, senior technical director of Symantec Asia Pacific and Japan. "If an organization is exposed because of e-mail and IM then archiving and filtering is a legitimate form of managing the risks associated with its use."
There are concerns that maintaining records of all e-mails and IM conversations in an organization may infringe on the privacy of its employees and their correspondents. However, on the flip side, they do afford great convenience to electronic records management.
According to Hartman, "as long as employees are clearly aware that these controls are in place, there are generally few if any problems".
Irene Graham, executive director of online freedom and rights advocacy organization Electronic Frontiers Australia noted that individuals may not always appreciate their personal messages being stored by their employers.
"But," she said, "at the end of the day, it's up to the employers and employees to discuss the permitted usage of office resources - the company obviously has the right to manage its business affairs."
"We don't like it," she admitted, "but in our view it would be completely impractical to try to distinguish what is a business communication that has been received from what is personal."
And while personal communication may be stored, they are unlikely to be released through FOI requests.
"The way the FOI works," Dunphy explained, "is that all of the business records would be captured to get the business e-mails. [Personal e-mails] wouldn't be subject to FOI, because it only covers documents related to the company's operations."
The Symantec Control Compliance Suite has been developed to support the standards that are most often referenced, such as ISO 17799/27001 or COBIT. Adhering to these standards, said Hartman, will support compliance to most regulations.
Administrators have the option of adjusting which regulations are monitored by the software, to better suit the needs of their organization.
The suite is an upgrade to the by-Control portfolio of products and includes titles such as Enterprise Security Manager, Incident Manager, NetBackup and Sygate Network Access Control. It is priced from $1200 per Manager Server.
Running across the range of existing software is the new Policy Manager, which, according to Symantec senior product manager Jitesh Chanchani, has been developed from "a set of universal regulatory statements" as "an overarching compliance reporting product".
